Skip to content

Certificate chain verification in Service mesh

In a Service mesh like Istio, certificate chain verification is essential for establishing [[mutual TLS]] (mTLS) trust between workloads. This process relies on a hierarchical PKI (Public Key Infrastructure) where a mesh-specific Certificate Authority (CA) issues workload credentials, which must be verifiable against a trusted root.^[README.md]

Root and Intermediate Authority

Operators can configure the mesh's internal CA (e.g., Citadel) to function as an Intermediate CA, operating under an externally managed Root CA.^[README.md] This setup, often referred to as "plugging in" a CA, allows organizations to align the mesh's identity system with their existing corporate security policies. To support this, operators must provide the intermediate CA certificate and its corresponding private key to the mesh control plane, while the root certificate serves as the ultimate trust anchor.^[README.md]

Certificate Structure and Chains

A valid certificate configuration includes several key artifacts: the Root CA certificate (root-cert.pem), the Intermediate CA certificate (ca-cert.pem), and the certificate chain (cert-chain.pem).^[README.md] The certificate chain explicitly defines the path of trust from the workload certificate, through the intermediate CA, up to the root CA.

Alternative or "rotate" configurations may involve a secondary set of files (e.g., ca-cert-alt.pem and cert-chain-alt.pem) to facilitate smooth transitions between cryptographic materials without downtime.^[README.md]

Workload Verification

Workloads within the mesh (such as services 'foo' or 'bar') are issued identity certificates (e.g., workload-foo-cert.pem) signed by the intermediate CA.^[README.md] These certificates typically encode the workload's identity in the Subject Alternative Name (SAN) field using the SPIFFE standard (e.g., spiffe://trust-domain-foo/ns/foo/sa/foo).^[README.md]

During verification, a workload presents its certificate. The peer verifies the certificate by checking the signature against the issuer's public key and ensuring that the issuer's certificate is part of the trusted cert-chain.pem leading back to the installed root-cert.pem.^[README.md]

Sources

^[README.md]